Merge pull request #233 from crazy-max/secret-multiline

Handle multi-line secret value
docker · Nov 17, 2020 · eae00c3 · eae00c3
2 parents 9c13ff4 + 1471dfb
commit eae00c3
Show file tree

Hide file tree

Showing 7 changed files with 410 additions and 40 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -121,6 +121,14 @@ jobs:
             localhost:5000/name/app:1.0.0
           secrets: |
             GIT_AUTH_TOKEN=${{ github.token }}
+            "MYSECRET=aaaaaaaa
+            bbbbbbb
+            ccccccccc"
+            FOO=bar
+            "EMPTYLINE=aaaa
+
+            bbbb
+            ccc"
       -
         name: Inspect
         run: |

diff --git a/README.md b/README.md
@@ -44,6 +44,8 @@ ___
 * [Customizing](#customizing)
   * [inputs](#inputs)
   * [outputs](#outputs)
+* [Notes](#notes)
+  * [Multi-line secret value](#multi-line-secret-value)
 * [Troubleshooting](#troubleshooting)
 * [Keep up-to-date with GitHub Dependabot](#keep-up-to-date-with-github-dependabot)
 * [Limitation](#limitation)
@@ -631,6 +633,36 @@ Following outputs are available
 |---------------|---------|---------------------------------------|
 | `digest`      | String  | Image content-addressable identifier also called a digest |
 
+## Notes
+
+### Multi-line secret value
+
+To handle multi-line value for a secret, you will need to place the key-value pair between quotes:
+
+```yaml
+secrets: |
+  "MYSECRET=${{ secrets.GPG_KEY }}"
+  GIT_AUTH_TOKEN=abcdefghi,jklmno=0123456789
+  "MYSECRET=aaaaaaaa
+  bbbbbbb
+  ccccccccc"
+  FOO=bar
+  "EMPTYLINE=aaaa
+  
+  bbbb
+  ccc"
+```
+
+| Key                | Value                                            |
+|--------------------|--------------------------------------------------|
+| `MYSECRET`         | `***********************` |
+| `GIT_AUTH_TOKEN`   | `abcdefghi,jklmno=0123456789` |
+| `MYSECRET`         | `aaaaaaaa\nbbbbbbb\nccccccccc` |
+| `FOO`              | `bar` |
+| `EMPTYLINE`        | `aaaa\n\nbbbb\nccc` |
+
+> Note: all quote signs need to be doubled for escaping.
+
 ## Troubleshooting
 
 See [TROUBLESHOOTING.md](TROUBLESHOOTING.md)

diff --git a/__tests__/buildx.test.ts b/__tests__/buildx.test.ts
@@ -1,9 +1,10 @@
 import * as fs from 'fs';
 import * as path from 'path';
 import * as semver from 'semver';
+
 import * as buildx from '../src/buildx';
-import * as docker from '../src/docker';
 import * as context from '../src/context';
+import * as docker from '../src/docker';
 
 const tmpNameSync = path.join('/tmp/.docker-build-push-jest', '.tmpname-jest').split(path.sep).join(path.posix.sep);
 const digest = 'sha256:bfb45ab72e46908183546477a08f8867fc40cebadd00af54b071b097aed127a9';
@@ -118,15 +119,23 @@ describe('parseVersion', () => {
 
 describe('getSecret', () => {
   test.each([
-    ['A_SECRET', 'abcdef0123456789'],
-    ['GIT_AUTH_TOKEN', 'abcdefghijklmno=0123456789'],
-    ['MY_KEY', 'c3RyaW5nLXdpdGgtZXF1YWxzCg==']
-  ])('given %p key and %p secret', async (key, secret) => {
-    const secretArgs = await buildx.getSecret(`${key}=${secret}`);
-    console.log(`secretArgs: ${secretArgs}`);
-    expect(secretArgs).toEqual(`id=${key},src=${tmpNameSync}`);
-    const secretContent = await fs.readFileSync(tmpNameSync, 'utf-8');
-    console.log(`secretValue: ${secretContent}`);
-    expect(secretContent).toEqual(secret);
+    ['A_SECRET=abcdef0123456789', 'A_SECRET', 'abcdef0123456789', false],
+    ['GIT_AUTH_TOKEN=abcdefghijklmno=0123456789', 'GIT_AUTH_TOKEN', 'abcdefghijklmno=0123456789', false],
+    ['MY_KEY=c3RyaW5nLXdpdGgtZXF1YWxzCg==', 'MY_KEY', 'c3RyaW5nLXdpdGgtZXF1YWxzCg==', false],
+    ['aaaaaaaa', '', '', true],
+    ['aaaaaaaa=', '', '', true],
+    ['=bbbbbbb', '', '', true]
+  ])('given %p key and %p secret', async (kvp, key, secret, invalid) => {
+    try {
+      const secretArgs = await buildx.getSecret(kvp);
+      expect(true).toBe(!invalid);
+      console.log(`secretArgs: ${secretArgs}`);
+      expect(secretArgs).toEqual(`id=${key},src=${tmpNameSync}`);
+      const secretContent = await fs.readFileSync(tmpNameSync, 'utf-8');
+      console.log(`secretValue: ${secretContent}`);
+      expect(secretContent).toEqual(secret);
+    } catch (err) {
+      expect(true).toBe(invalid);
+    }
   });
 });